Preparing For and Surviving a Data Breach
Credit unions spend millions of dollars complying with regulation designed to reduce the risk that the use of information technology presents, yet must spend millions more on card replacement and other costs to protect their members when a card processor or vendor is breached.
This article covers lessons learned through many breach responses that can save your organization time and money when preparing for and responding to an internal data security breach.
Credit union regulatory compliance requirements provide good treatment of the IT risk controls necessary to protect members and the organization from loss. However, the evolving world of cyber threats requires preparation and vigilance by organizations.
Compliance with regulatory requirements doesn’t mean your security can’t be breached. Many times, data breach victims have clean compliance reports on the day they are breached, due to how fast the threat landscape changes.
The arms race between information security defense and attack capabilities continues to escalate. Regulators and industry standards are hard pressed to address emerging threats that target gaps in current security practices.
Due to the risk of breach to financial institutions, the Federal Financial Institution Examination Council IT Handbook stipulates that all financial institutions must have an Incident Response Plan. This should be any organization’s first step in preparing for a data breach.
How your organization defines and creates its Incident Response Plan will have a significant impact on the success of a breach response. Identifying team members, providing guidance on response activities, and addressing the many regulatory and fiduciary responsibilities of your organization should be clearly addressed. Testing the plan on a regular, periodic basis and improving it is also extremely important.
An adequate cyber insurance policy is highly recommended. Data breach response by qualified response vendors can cost tens of millions of dollars, depending on the scope of the breach and the size of your organization.
Ensuring that your policy has adequate coverage amounts, and most critically, that it provides “first party” coverage, is essential to executing an effective cyber insurance policy. “First party” policies provide your organization with direct reimbursement for activities such as crisis management, disclosure, remediation, and extra expenses associated with responding to a data breach.
During a data breach, your organization will face many challenges while resolving the crisis. Understanding the scope of the breach, including the number of data records accessed or stolen, and the method that attackers used to access and steal data are all priorities in the first stage response.
Dealing with regulators, affected members and third parties will require dedicated communication channels and staff. Your response team must have resources to contain and eradicate attacker presence, and must be able to effectively remediate the cause of the breach.
For breaches that require in-depth forensic investigation, real-time monitoring, or extensive remediation that exceeds the capabilities of your organization’s IT support staff or vendor, the services of an incident response vendor will be required to augment or outright perform response activities.
Developing a relationship with an incident response vendor and external legal counsel, before a breach occurs, can provide your organization with reduced rates, rapid response and simplified contracting and service delivery when you need it most. Incident response vendors should be engaged through external legal counsel, so that attorney-client privilege can been applied during response activities where possible.
Finally and perhaps most importantly, it is critical that senior leadership and legal counsel stay engaged with the response team, and have direct and frequent access to objective and progress reports. The level at which a response vendor is engaged within your organization is critical to reducing the amount of time and capital required to resolve a breach.
Executive leadership should receive clearly understandable, regular and sufficiently detailed status reports from the response vendor. A clear communication channel between the response team, vendors, and senior decision makers is a critical success factor.
As the pace of technology adoption and emerging threats has increased, organizations continue to be challenged to meet regulatory requirements and smartly address security concerns within their budgets. At the same time, data breaches have become more frequent. Preparing for them with the proper tools, staff, partners, and plans will dramatically decrease the amount of pain felt during a breach response.